diff --git a/bin/dig/Makefile.am b/bin/dig/Makefile.am index 3e86eeb3ff..18af2407c2 100644 --- a/bin/dig/Makefile.am +++ b/bin/dig/Makefile.am @@ -5,6 +5,7 @@ AM_CPPFLAGS += \ $(LIBDNS_CFLAGS) \ $(LIBISCCFG_CFLAGS) \ $(LIBIDN2_CFLAGS) \ + $(OPENSSL_CFLAGS) \ $(LIBUV_CFLAGS) \ $(OPENSSL_CFLAGS) @@ -13,6 +14,7 @@ LDADD += \ $(LIBISC_LIBS) \ $(LIBDNS_LIBS) \ $(LIBISCCFG_LIBS) \ + $(OPENSSL_LIBS) \ $(LIBIDN2_LIBS) noinst_LTLIBRARIES = libdighost.la diff --git a/bin/dig/dig.c b/bin/dig/dig.c index 11a1b11dda..f6783deb48 100644 --- a/bin/dig/dig.c +++ b/bin/dig/dig.c @@ -21,6 +21,7 @@ #include #include +#include #include #include #include @@ -69,6 +70,16 @@ static bool short_form = false, printcmd = true, plusquest = false, pluscomm = false, ipv4only = false, ipv6only = false, digrc = true; static uint32_t splitwidth = 0xffffffff; +#include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +static OSSL_PROVIDER *fips = NULL, *base = NULL; +#endif + /*% opcode text */ static const char *const opcodetext[] = { "QUERY", "IQUERY", "STATUS", "RESERVED3", @@ -2573,8 +2584,8 @@ exit_or_usage: /*% * #true returned if value was used */ -static const char *single_dash_opts = "46dhimnruv"; -static const char *dash_opts = "46bcdfhikmnpqrtvyx"; +static const char *single_dash_opts = "46dFhimnruv"; +static const char *dash_opts = "46bcdFfhikmnpqrtvyx"; static bool dash_option(char *option, char *next, dig_lookup_t **lookup, bool *open_type_class, bool *need_clone, bool config_only, int argc, @@ -2631,6 +2642,9 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, debugging = true; } break; + case 'F': /* FIPS */ + /* FIPS is handled in preparse_args() */ + break; case 'h': help(); exit(EXIT_SUCCESS); @@ -2904,6 +2918,28 @@ preparse_args(int argc, char **argv) { /* For debugging early startup */ debugging = true; break; + case 'F': +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + fips = OSSL_PROVIDER_load(NULL, "fips"); + if (fips == NULL) { + ERR_clear_error(); + fatal("Failed to load FIPS provider"); + } + base = OSSL_PROVIDER_load(NULL, "base"); + if (base == NULL) { + OSSL_PROVIDER_unload(fips); + ERR_clear_error(); + fatal("Failed to load base provider"); + } +#endif + /* Already in FIPS mode? */ + if (isc_fips_mode()) { + break; + } + if (isc_fips_set_mode(1) != ISC_R_SUCCESS) { + fatal("setting FIPS mode failed"); + } + break; case 'm': memdebugging = true; isc_mem_debugging = ISC_MEM_DEBUGTRACE | @@ -3428,5 +3464,14 @@ main(int argc, char **argv) { dig_startup(); dig_shutdown(); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (base != NULL) { + OSSL_PROVIDER_unload(base); + } + if (fips != NULL) { + OSSL_PROVIDER_unload(fips); + } +#endif + return exitcode; } diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst index 83c0ab7acf..90c4a8dc96 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst @@ -20,7 +20,7 @@ dig - DNS lookup utility Synopsis ~~~~~~~~ -:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...] +:program:`dig` [@server] [**-b** address] [**-c** class] [**-f** filename] [**-F**] [**-k** filename] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-v**] [**-x** addr] [**-y** [hmac:]name:key] [ [**-4**] | [**-6**] ] [name] [type] [class] [queryopt...] :program:`dig` [**-h**] @@ -126,6 +126,10 @@ Options same way it would be presented as a query to :program:`dig` using the command-line interface. +.. option:: -F + + This option enables FIPS mode if supported by the cryptographic library in use. + .. option:: -h Print a usage summary.